Delta Air Lines offered the additional details about the attack on Thursday, a day after saying that only a “small subset” of customers was affected.

The Atlanta-based airline said that it wasn’t sure whether customers’ information was actually compromised by malware that it believes was in software used by (24)7.ai, which provided the airline with online chat services for customers, for about two weeks. The software company said it discovered and fixed the breach in October.

Sears said in a statement that it believes the malware led to “unauthorised access to less than 100,000 of our customers’ credit card information.”

Sears Holdings Corp., which also operates Kmart stores, said it learned of the problem in mid-March and immediately notified credit-card companies to prevent potential fraud. Both Delta and Sears said they worked with federal law enforcement officials and IT-security experts.

It does not appear that the companies’ systems were hacked, said Bill Curtis, chief scientist at CAST, a software-security firm. Rather, the malware targeted customers as they made online purchases using infected software.

Consumers “downloaded something that was watching your screen and waiting for the credit cards to float,” Curtis said. “They stole the data as you entered it.”

A spokesman for (24)7.ai, which is based in San Jose, California, did not immediately respond to a request for comment.

Curtis said (24)7.ai “has a huge liability here.” He said companies that use outside technology providers also must take steps to check the security of the software used by those providers.

A Delta spokesman declined to discuss steps the airline took to ensure the security of the (24)7.ai software. Sears, which is based in Hoffman Estates, Illinois, did not respond immediately to a request for comment.